From 917fef98ce6100a9c51c10c4cde75a3b99632dbf Mon Sep 17 00:00:00 2001 From: Claudiu Popa Date: Thu, 9 Apr 2015 02:22:53 +0300 Subject: [PATCH] Escape the password for WinRM certificate XML This patch escapes the password formatted into a hand-crafted XML for the WinRM certificate mapping. Without it, using passwords such as 'P@ssw&d' will make the WinRM certificate auth plugin to fail with a "The WS-Management service cannot process the request because the XML is invalid.", which is actually true, since the resulting XML is not valid, due to the unescaped and sign. Change-Id: Ia93ab13a4ae5783c1fed5fbb748902bda84e9b65 Closes-Bug: #1441884 --- .../tests/utils/windows/test_winrmconfig.py | 13 +++++++++---- cloudbaseinit/utils/windows/winrmconfig.py | 7 +++++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/cloudbaseinit/tests/utils/windows/test_winrmconfig.py b/cloudbaseinit/tests/utils/windows/test_winrmconfig.py index 000e6b19..0f10da34 100644 --- a/cloudbaseinit/tests/utils/windows/test_winrmconfig.py +++ b/cloudbaseinit/tests/utils/windows/test_winrmconfig.py @@ -14,6 +14,7 @@ import importlib import unittest +from xml.sax import saxutils try: import unittest.mock as mock @@ -267,10 +268,14 @@ class WinRMConfigTests(unittest.TestCase): 'subject': 'subject', 'uri': 'fake:\\uri'} mock_get_xml_bool.return_value = True + fake_password = "Pa&ssw0rd!" + fake_username = 'fake user' + expected_password = saxutils.escape(fake_password) + expected_username = saxutils.escape(fake_username) self._winrmconfig.create_cert_mapping( - issuer='issuer', subject='subject', username='fake user', - password='fake password', uri='fake:\\uri', enabled=True) + issuer='issuer', subject='subject', username=fake_username, + password=fake_password, uri='fake:\\uri', enabled=True) mock_get_xml_bool.assert_called_once_with(True) mock_create_resource.assert_called_once_with( @@ -281,8 +286,8 @@ class WinRMConfigTests(unittest.TestCase): '%(password)s' '%(username)s' '' % {'enabled': True, - 'username': 'fake user', - 'password': 'fake password'}) + 'username': expected_username, + 'password': expected_password}) @mock.patch('cloudbaseinit.utils.windows.winrmconfig.WinRMConfig.' '_get_resource') diff --git a/cloudbaseinit/utils/windows/winrmconfig.py b/cloudbaseinit/utils/windows/winrmconfig.py index 9505152a..b9aa9082 100644 --- a/cloudbaseinit/utils/windows/winrmconfig.py +++ b/cloudbaseinit/utils/windows/winrmconfig.py @@ -17,6 +17,7 @@ import re from win32com import client from xml.etree import ElementTree +from xml.sax import saxutils CBT_HARDENING_LEVEL_NONE = "none" @@ -127,6 +128,8 @@ class WinRMConfig(object): resource_uri = self._SERVICE_CERTMAPPING_URI % {'issuer': issuer, 'subject': subject, 'uri': uri} + escaped_password = saxutils.escape(password) + escaped_username = saxutils.escape(username) self._create_resource( resource_uri, '